NPM Auth Gateway

User-level access control for Nginx Proxy Manager with auto IP whitelisting.

Repository: github.com/Mark0025/npm-auth-gateway

What It Does

NPM Auth Gateway is a companion app that adds user management on top of NPM's access list system. Instead of manually adding IPs to access lists, users log in through an auth provider and their IP is automatically whitelisted on the access lists they've been assigned to.

NPM remains fully in control — the gateway only reads and writes through NPM's REST API. All access enforcement stays in NPM's nginx config.

The Problem It Solves

Manual IP management — every time a user needs access, an admin manually adds their IP to an access list
IP changes — mobile users, VPNs, and travel mean IPs change constantly
No user visibility — access lists contain IPs, but there's no record of who each IP belongs to
Scaling — managing 10+ users across multiple access lists gets tedious

How It Works

Browser → NPM (SSL) → Auth Gateway → Auth Provider
                                          ↓
                                    NPM REST API (:81)
                                    auto-add IP to access lists

Admin creates a user by email
Admin assigns access — a table of proxy hosts with checkboxes showing which hosts each access list protects
User logs in → IP detected → automatically added to their assigned NPM access lists
User's IP changes → they log in again → new IP auto-added
Admin revokes access → user's IPs removed from all access lists

Key Features

Auto IP whitelisting on login
Per-host access control with checkboxes (not abstract groups)
Admin/user roles — admin sees everything, users see only their assigned hosts
Personalized dashboard — users see their services as clickable cards
Login logging with IP history per user
One-click revoke — removes user's IPs from all access lists
Searchable tables for proxy hosts and users
Survives gateway failure — NPM keeps enforcing existing whitelists

Architecture

Responsibility	Who Handles It
SSL termination	NPM
Proxy host configuration	NPM
Access list enforcement	NPM
IP whitelisting	NPM
User identity	Auth Provider
User → access list mapping	Gateway
Auto IP whitelisting	Gateway

No database required. NPM stores all proxy/ACL config. User metadata lives in the auth provider. Zero state duplication.

NPM API Endpoints Used

Endpoint	Purpose
`POST /api/tokens`	Authentication
`GET /api/nginx/proxy-hosts`	List proxy hosts
`GET /api/nginx/access-lists`	List access lists
`PUT /api/nginx/access-lists/:id`	Update access list IPs
`POST /api/nginx/access-lists`	Create access list
`GET /api/nginx/certificates`	List SSL certificates

Setup

See the repository README for Docker deployment instructions.

Tech Stack

Next.js / React / TypeScript / Docker

The auth provider is swappable — the proof of concept uses Clerk, but any OIDC provider works (Auth0, Keycloak, Authentik, etc.).